Credential-access response is evidence preservation first. We identify which secret class was accessed, which account performed the read, what systems or directory attributes were touched, and which credentials must be rotated.
High-value telemetry
| Event | Meaning | Focus |
|---|---|---|
| 4662 | Directory object access | LAPS, gMSA, DCSync, sensitive LDAP attribute reads when auditing is configured |
| 5136 | Directory object modified | Delegation or ACL changes that grant secret read rights |
| 5140 | Network share accessed | SYSVOL, NETLOGON, administrative shares |
| 5145 | Detailed share access | Specific SYSVOL or share file paths |
| 4624 | Successful logon | Credential validation and lateral movement |
| 4625 | Failed logon | Password guessing or invalid reuse |
| 4672 | Special privileges assigned | Admin logons and sensitive operations |
| 4697 | Service installed | Remote dumping through service creation |
| 7045 | Service installed | Service creation on target host |
| 7036 | Service state change | Temporary remote execution services |
DCSync detection focuses on replication rights used by unexpected principals. Watch for Directory Replication Service operations from accounts that are not domain controllers, AD backup systems, or approved identity infrastructure.
LAPS and gMSA detection focuses on reads of sensitive attributes. In mature environments, enable SACLs on ms-Mcs-AdmPwd, Windows LAPS attributes, and msDS-ManagedPassword, then alert when unexpected users, workstations, or service accounts read them.
SYSVOL detection focuses on broad recursive reads, old GPP XML access, script access, and new file modification. Reading SYSVOL is normal; bulk collection and access to legacy preference XML is more interesting.
Triage commands
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4662,5136,5140,5145,4624,4625,4672,4697} |
Select-Object TimeCreated,Id,ProviderName,Message
Review sensitive AD delegation
Get-ADObject -LDAPFilter '(objectClass=computer)' -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime |
Where-Object { $_.'ms-Mcs-AdmPwd' } |
Select-Object Name,DistinguishedName,ms-Mcs-AdmPwdExpirationTime
Get-ADObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)' -Properties msDS-GroupMSAMembership |
Select-Object Name,DistinguishedName,msDS-GroupMSAMembership
Review DCSync-style rights
Import-Module .\PowerView.ps1
Get-DomainObjectAcl -Identity "DC=ootw,DC=local" -ResolveGUIDs |
Where-Object { $_.ObjectAceType -match "Replication-Get" -or $_.ActiveDirectoryRights -match "GenericAll|AllExtendedRights" }
Rotate after exposure
User password exposed Rotate the user password and invalidate active sessions.
Service password exposed Rotate the service password and update dependent services.
LAPS password exposed Trigger LAPS rotation on the affected host.
gMSA material exposed Rotate the gMSA password and review allowed retrievers.
krbtgt exposed Perform the krbtgt double-rotation process.
Local admin hash exposed Rotate local administrator passwords across affected hosts.
DPAPI secrets exposed Rotate affected application credentials, browser secrets, and RDP credentials.
Hardening checklist
- Remove legacy GPP
cpasswordXML from SYSVOL. - Limit LAPS read rights to operational groups that actually need host admin recovery.
- Limit gMSA retrieval rights to the hosts that run the service.
- Audit and alert on DCSync rights outside Domain Controllers and approved identity systems.
- Block broad local admin reuse with unique local administrator passwords.
- Remove passwords from
description,info, scripts, registry preferences, and file shares. - Monitor credential validation from unusual hosts immediately after secret reads.